WebProNews

Tag: single sign-on

  • NSA Warning of On-Premise to Cloud Attacks

    NSA Warning of On-Premise to Cloud Attacks

    The National Security Agency is warning of attacks that target the local network and ultimately compromise organizations’ cloud resources.

    As companies migrate to the cloud, improved security is one of the top selling points. While that is generally true, many security processes need to be reworked to account for cloud computing. This is especially true as many cloud systems and platforms are designed to interoperate with each other.

    One security measure that has become popular is federated single sign-on (SSO). SSO is a way for an individual to use a single set of credentials to log into any number of authorized applications and services. Federated SSO advances that concept to allow a user to log into services across networks and platforms with the same trusted credentials.

    Unfortunately, hackers appear to be using federated SSOs to escalate attacks from compromised local networks to cloud resources.

    The NSA has documented two such type of attacks:

    In the first TTP, the actors compromise on-premises components of a federated SSO infrastructure and steal the credential or private key that is used to sign Security Assertion Markup Language (SAML) tokens (TA00061, T1552, T1552.004). Using the private keys, the actors then forge trusted authentication tokens to access cloud resources. A recent NSA Cybersecurity Advisory warned of actors exploiting a vulnerability in VMware Access®2 and VMware Identity Manager®3 that allowed them to perform this TTP and abuse federated SSO infrastructure. While that example of this TTP may have previously been attributed to nation-state actors, a wealth of actors could be leveraging this TTP for their objectives. This SAML forgery technique has been known and used by cyber actors since at least 2017.

    In a variation of the first TTP, if the malicious cyber actors are unable to obtain an on-premises signing key, they would attempt to gain sufficient administrative privileges within the cloud tenant to add a malicious certificate trust relationship for forging SAML tokens.

    In the second TTP, the actors leverage a compromised global administrator account to assign credentials to cloud application service principals (identities for cloud applications that allow the applications to be invoked to access other cloud resources). The actors then invoke the application’s credentials for automated access to cloud resources (often email in particular) that would otherwise be difficult for the actors to access or would more easily be noticed as suspicious (T1114, T1114.002).

    The NSA’s document contains migration techniques and should be read immediately by all systems admins.

  • Facebook Preaches The Importance Of Open Graph Again

    Facebook Preaches The Importance Of Open Graph Again

    Facebook really loves Open Graph and wants you to love it too. While they have been hammering home how great it is ever since its introduction, Facebook thinks you need some more reminding. It’s especially important if you have a mobile app that could use a little traffic boost through Facebook.

    If you’ve been following any of Facebook’s previous developer spotlights, you know that Facebook sends a lot of people to mobile apps. We never knew the exact number, but it was just assumed that a lot of people were using Facebook to connect to their favorite apps. It’s look like “a lot” doesn’t really begin to describe it as Facebook says that they have sent more than 160 million people to apps last month. To put that into perspective, they were only sending 60 million people in February.

    But wait, it gets bigger and better. Those 160 million people are using Facebook to connect with their favorite mobile apps in a big way. During the same time frame, there has been 1.1 billion visits to mobile apps through Facebook. In February, they were only pushing 320 million visits.

    You might want to take advantage of Open Graph now and not just for the increased traffic. It also means more money as seven of the top 10 grossing iOS apps and six of the top 10 grossing Android apps are integrated with Facebook in some way. Those in the top 10 that aren’t integrated with Facebook could probably be making a whole lot more money if they were.

    Getting into specifics, Facebook calls out some mobile apps that have seen tremendous growth after integrating with Facebook. The mobile app for social professional network BranchOut now has 12.5 million monthly active users after integrating with Facebook. Only 12 weeks ago, the mobile app was getting 1 million MAU. Even more amazing, the app has seen 28 million visits from Facebook in the past 28 days.

    Surely you all have heard of Viddy, the Instagram of video. It’s a free app on iOS, but it has exploded since integration with Facebook. The service now has 16 million registered users. It also helped contribute to Viddy becoming top free app on the iTunes app store at the beginning of the month.

    Flixster has also grown its business and visitors after integrating with Facebook. The number of visitors has increased 10 times with over 480,000 people accessing the app per day over the last month. Those vistors contributed to an amazing 15 million visits during the same time frame.

    While Open Graph is definitely a big factor in increasing your mobile app presence on Facebook, taking advantage of Single Sign On is also a big deal. Allowing users to access your app through Facebook makes them more likely to use it since they don’t have to create a separate account. After that, you can hook them with Open Graph actions that encourages them to return and use the app more.

  • Facebook Single Sign-On Pro-Tips

    Facebook Single Sign-On Pro-Tips

    Today, Facebook released a list of best practices for developers of iOS and Android apps that implement the Single Sign-On (SSO) features that Facebook debuted a year ago.

    Using SSO, developers are able to save their users time and frustration of logging in to their apps repeatedly. The developers also have access to the Graph API to build in-app social experiences.

    Facebook recommends the following 4 Pro-Tips for developers:

    Pro-tip 1: Include Facebook Login at User RegistrationApps will often only use SSO and Facebook Login when asking the user to enable Facebook features in the app. You should also include Facebook Login anywhere you prompt the user to Register for your app, often times when users launch your app for the first time. Users can enjoy a simplified registration process, and you can request the same information, such as e-mail address, that you would normally collect manually from the user.

    Pro-tip 2: Store the user’s session in your appAfter your user authenticates for the first time, you should immediately store the authentication result locally. This way, you can keep the user logged-in to your app without having the user re-authenticate each time.

    Pro-tip 3: Request only the permissions your app needsWe have streamlined the SSO permissions dialog, along with all permission dialogs in our recently announced Improved Auth Dialog. You should only request the permissions you need to get the user registered and using your app’s social features.
    As part of our ongoing efforts to improve privacy protections for Facebook users, we’ve deprecated the ‘offline_access’ permission. Instead, you now have the option to extend the expiration of existing, valid access tokens for a limited amount of time without requiring the user to login again. Learn more about upgrading access tokens. Also, many apps incorrectly ask for ‘publish_stream’ when using our Feed Dialog. Your app only needs ‘publish_stream’ if it will be publishing to the user’s feed programmatically with the Graph API.

    Pro-tip 4: Complete all iOS and Android Fields in your App SettingsBe sure to fill out every field related to your app in your app settings in the Native iOS App and the Native Android App fields. You can access these app settings for your app here. On iOS, If these fields are not configured, we will not be able to drive traffic to your app or the iOS App Store. In addition, we use the iOS Bundle ID to streamline authentication for users who have already authenticated your app.